Topics

1

General Discussion / High inblock packet count on passive LAN interfaces

« on: November 20, 2024, 04:02:17 pm »

Hello everyone,

I just noticed high inblock packet counts on LAN interfaces which just act as parent interfaces for VLAN interfaces.

How can these high packet numbers be explained, are they originating from the attached switch?

130-200m seem to be a lot of packets per second.

I know the underlying real physical interface of a VLAN does not have to be enabled for a VLAN to be working but I had problems with a WiFi controller and enabling the interface solved it.

The LAN interfaces have the configuration type "none". What would fix these high packet counts without disabling the underlying LAN interfaces?

For comparison I'll show the packet counts of a normal active "Static IPv4" LAN interface vs. a passive LAN interface.

2

24.1 Legacy Series / GeoIP database not updating in opnsense-business

« on: November 05, 2024, 01:42:32 pm »

I just noticed our GeoIP database never updated since the beginning. Version is OPNsense 24.4.3-amd64.

Is it only updated if there is actually a rule using a GeoIP alias?

I've not used this feature before but I'm planning to.

Documentation says if the "Url" field in "Firewall: Aliases: GeoIP settings" is empty in the Business Edition it will download the database from the OPNsense servers.

3

German - Deutsch / Falsche ID in Phase 1 bei redundanten IPSec-Verbindungen

« on: September 14, 2023, 02:52:59 pm »

Hallo zusammen,

die IPSec-Verbindungen funktionieren eigentlich wie gewollt.

Nur wenn man redundante Leitungen hinzufügt, kommt OPNsense wohl mit den IDs durcheinander?

Ist die Vorgehensweise wie im Screenshot gezeigt korrekt?

Lokale Seite hat 2 Internetleitungen und die entfernte Seite hat 2 Internetleitungen, also Redundanz auf beiden Seiten.

Ich gehe davon aus, dass die Rounds nacheinander abgearbeitet werden, also wenn Round 0 fehlschlägt, wird Round 1 durchfgeführt usw., oder sehe ich das falsch?

Die Gegenseite ist eine Sophos UTM, dessen Internetleitung 1 ist übrigens gerade tot, Bagger an Glasfaser .

Hier ist der Log von der OPNsense:

Code: [Select]

2023-09-14T14:38:34 Informational charon 10[ENC] <2325> generating INFORMATIONAL_V1 request 3229602726 [ HASH N(AUTH_FAILED) ]
2023-09-14T14:38:34 Informational charon 10[IKE] <2325> no peer config found
2023-09-14T14:38:34 Informational charon 10[CFG] <2325> looking for pre-shared key peer configs matching xx.xx.67.42...xx.xx.179.218[xx.xx.179.218]
2023-09-14T14:38:34 Informational charon 10[ENC] <2325> parsed ID_PROT request 0 [ ID HASH ]
2023-09-14T14:38:34 Informational charon 10[NET] <2325> received packet: from xx.xx.179.218[500] to xx.xx.67.42[500] (108 bytes)
2023-09-14T14:38:33 Informational charon 10[NET] <2325> sending packet: from xx.xx.67.42[500] to xx.xx.179.218[500] (460 bytes)

4

Hardware and Performance / BIOS and BMC firmware for Supermicro A2SDi-4C-HLN4F

« on: August 08, 2023, 09:37:18 am »

What is your current BIOS and BMC firmware version for this mainboard?

Current:

BIOS: 1.4 (01/29/2021)
BMC: 03.88 (02/21/2020)

Latest:

BIOS: 1.7a (10/13/2022)
BMC: 03.95 (12/23/2021)

Has anybody updated these firmwares to the latest versions?

Were there any problems with OPNsense?

I know you need to purchase an Out of Band (OOB) Software License Key to be even able to update the BIOS from the GUI.

5

General Discussion / How Microsoft Windows is flooding the dnsmasq log

« on: July 21, 2023, 08:48:25 am »

You may know the Network Connectivity Status Indicator (NCSI) in Windows which checks if you're connected to the Internet (shows a globe with prohibition sign when not connected).

It's all described here: https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions

Well, one of the active probes is a DNS query to "dns.msftncsi.com". Strangely the IPv6 address the DNS server resolves to is the unique local address (ULA) fd3e:4f5a:5b81::1, the equivalent of a private address in IPv4.

And that leads dnsmasq to log this DNS query as a rebind attack:

Code: [Select]

2023-07-21T08:10:00 Warning dnsmasq possible DNS-rebind attack detected: dns.msftncsi.com
Thanks to dave14305 at the OpenWRT forums for pointing that out: https://forum.openwrt.org/t/dns-rebind-attacks/150585/3

The funny thing is that in the Whois lookup of this address it states:

"remarks: This network should never be routed outside an enterprise"

https://findipv6.com/ipv6-whois/fd3e:4f5a:5b81::1

Microsoft is definitely an enterprise and the address is used outside of it.

So I created a group policy in the Windows domain to disable the active probing of NCSI. This reduced the amount of log entries but there are still PCs that are not in the domain.

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::NoActiveProbe

As there is no possibility to add a domain exception via the GUI I also created a feature request.

6

23.1 Legacy Series / Problem monitoring the gateway of a Viasat satellite connection

« on: July 05, 2023, 02:23:34 pm »

Hi there,

I have a problem with the monitoring of a satellite connection. It is a Viasat SurfBeam 2 modem.

The WAN4 interface gets its IP from a DHCP server of the SAT modem/router. Everything is working but the gateway is always shown as offline even when you see the RTT in the gateway overview.

For test purposes I already unchecked the options "Block private networks" and "Block bogon networks" in the WAN4 interface without an effect.

As you see all other WANs are monitored fine so I guess it's a weird problem in relation to the satellite modem.

Here is the packet capture of a ping to the DNS server which I use as the monitor IP (I also already tried the CloudFlare DNS 1.1.1.1, same result).

Code: [Select]

Interface Timestamp SRC DST output
WAN4
ix3 2023-07-05
12:43:26.873269 3c:ec:xx:xx:xx:xx 00:a0:xx:xx:xx:xx ethertype IPv4 (0x0800), length 42: (tos 0x0, ttl 64, id 7282, offset 0, flags [none], proto ICMP (1), length 28)
10.80.xxx.xx > 70.41.xx.x: ICMP echo request, id 6505, seq 481, length 8
WAN4
ix3 2023-07-05
12:43:27.453004 00:a0:xx:xx:xx:xx 3c:ec:xx:xx:xx:xx ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 55, id 18232, offset 0, flags [none], proto ICMP (1), length 28)
70.41.xxx.x > 10.80.xxx.xx: ICMP echo reply, id 6505, seq 481, length 8
WAN4
ix3 2023-07-05
12:43:31.980280 3c:ec:xx:xx:xx:xx 00:a0:xx:xx:xx:xx ethertype IPv4 (0x0800), length 42: (tos 0x0, ttl 64, id 63227, offset 0, flags [none], proto ICMP (1), length 28)
    10.80.xxx.xx > 70.41.xx.x: ICMP echo request, id 6505, seq 482, length 8
WAN4
ix3 2023-07-05
12:43:32.575468 00:a0:xx:xx:xx:xx 3c:ec:xx:xx:xx:xx ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 55, id 21553, offset 0, flags [none], proto ICMP (1), length 28)
70.41.xx.x > 10.80.xxx.xx: ICMP echo reply, id 6505, seq 482, length 8
WAN4
ix3 2023-07-05
12:43:36.982371 3c:ec:xx:xx:xx:xx 00:a0:xx:xx:xx:xx ethertype IPv4 (0x0800), length 42: (tos 0x0, ttl 64, id 43380, offset 0, flags [none], proto ICMP (1), length 28)
10.80.xxx.xx > 70.41.xx.x: ICMP echo request, id 6505, seq 483, length 8
WAN4
ix3 2023-07-05
12:43:37.571897 00:a0:xx:xx:xx:xx 3c:ec:xx:xx:xx:xx ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 55, id 24420, offset 0, flags [none], proto ICMP (1), length 28)
70.41.xx.x > 10.80.xxx.xx: ICMP echo reply, id 6505, seq 483, length 8

While writing I found the problem myself, I just had to increase the "Latency thresholds" from the default 200/500 range to 700/900 because the RTT of a satellite connection is so high. Maybe It helps somebody in the future.

7

Tutorials and FAQs / [Tutorial] OPNsense - Create a Postfix Mail Relay for Exchange Online in 8 steps

« on: June 26, 2023, 04:25:48 pm »

1. Go to System->Settings->Plugins, search for "os-postfix" and install ith via the + sign on the right (in the screenshot it is already installed, that's why it shows a trash bin to remove it).



2. Refresh the Web GUI with F5 and you'll find "Postfix" under Services. Go to Services->Postfix->Domains and add your own domain, the field "Destination" is your Exchange Online target.



3. Go to senders and add your e-mail address which you want to send from, if you want to allow all e-mail addresses than just leave it empty.



4. Go to Services->Postfix->General and change "IP Version" to "IPv4" if you don't use IPv6. In "Trusted Networks" add your local subnet (in this case 192.168.3.0/24) or add single IPs for every allowed host. I don't know if the field "Smart Host" here is working at all, it had no effect if it was filled or empty. Maybe it just works with authentication which we don't need in this case.